CVE-2026-42259

Name of the Vulnerable Software and Affected Versions Saltcorn versions prior to 1.4.6 Saltcorn versions prior to 1.5.6 Saltcorn versions prior to 1.6.0-beta.5

Description Saltcorn fails to properly validate the dest parameter during the post-login process. The is relative url() function only blocks strings containing :/ and //, which allows payloads using backslashes (``) to bypass the check. Since WHATWG-compliant browsers normalize backslashes to forward slashes for special schemes, an attacker can craft a URL that redirects a user to an attacker-controlled domain after they log in. This can be used for credential phishing by redirecting users to a forged site. The issue is reachable on default installations and occurs when a victim is tricked into logging in via a crafted URL. The vulnerability involves the is relative url() function and the dest parameter.

Recommendations Update to version 1.4.6. Update to version 1.5.6. Update to version 1.6.0-beta.5. As a temporary workaround, restrict or avoid using the dest parameter in login requests until the software is updated.